From 621fa92036d59aa6558df828a1ff48136eed19ce Mon Sep 17 00:00:00 2001
From: Reto Brunner <reto@labrat.space>
Date: Sat, 6 Aug 2022 12:37:51 +0200
Subject: [PATCH] linkPreviews: Enforce TLS validity

When a URL is prefixed with a TLS scheme, we should make sure
that the remote provides a valid cert, even just for prefetches.
Else MITM of such a site is trivial.

This probably breaks some people with self signed cert, but the
age where that was acceptable is past. We have free CAs now like
Let's Encrypt.
---
 server/plugins/irc-events/link.ts | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/server/plugins/irc-events/link.ts b/server/plugins/irc-events/link.ts
index e9ae49c4..e370fc7a 100644
--- a/server/plugins/irc-events/link.ts
+++ b/server/plugins/irc-events/link.ts
@@ -437,9 +437,6 @@ function fetch(uri: string, headers: Record<string, string>) {
 				retry: 0,
 				timeout: prefetchTimeout || 5000, // milliseconds
 				headers: getRequestHeaders(headers),
-				https: {
-					rejectUnauthorized: false,
-				},
 			});
 
 			gotStream